Microsoft's April Security Update Includes 4 'Critical' Fixes

April's security update arrived today, packing six bulletins for 11 flaws. Four of the six fixes have been categorized as "critical" -- Microsoft's most severe level.Microsoft defines a critical security issue as "a vulnerability whose exploitation could allow the propagation of an Internet worm without user action."

That said, IT shops may want to prioritize bulletin MS12-027, as it secures a zero-day vulnerability in the Windows Common Control that could lead to a remote code execution attack if left unpatched.

"The 'deploy now' bulletin this month is MS12-027, a bulletin affecting the Windows Common Controls," explained Andrew Storms, director of security operations at security firm nCircle. "This component is included in so many Microsoft programs it affects almost every Microsoft user on the planet."

The affected programs include versions of Microsoft Office, SQL Server, Commerce Server and some Microsoft developer tools, such as Microsoft Visual FoxPro and the Visual Basic 6.0 runtime.

Along with affecting every version of Windows, this fix should be a high priority because, according to Storms, the vulnerability has already been seen in the wild by Microsoft. The attack works when a user visits a specially crafted Web site, which assists an attacker in accessing a system and remotely installing malicious code.

While Storms argued that bulletin MS12-027 should be the top concern in Microsoft's update, other security experts, including VMware's Data and Security Team Manager Jason Miller, are informing customers that bulletin MS12-023 -- a cumulative security update for Internet Explorer -- should be taken care of first. Miller is part of VMware after that company bought Shavlik Technologies in May.

"With any browser (Microsoft or non-Microsoft), patching is always on the top of the priority list as Internet browsers are one of the most targeted pieces of software for exploitation," said Miller in a blog post.

The fix, which targets IE versions 6, 7, 8 and 9, takes care of five privately reported issues that could lead to an attacker gaining the access rights of an unsuspecting user. Unlike the Windows Common Controls fix, the five IE vulnerabilities haven't been seen in the wild as of yet. However, Microsoft warns that successful attacks will likely appear in the next 30 days.

The third critical entry, bulletin MS12-024, takes care of a vulnerability in all versions of Windows that "could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system," according to Microsoft.

To block this from potentially being exploited, the bulletin will modify how the Windows Authenticode Signature Verification classifies a portable executable file for use. Also important to note is that this fix will need to be applied by those persons running the Windows 8 Consumer Preview, as well as the earlier released Windows 8 Developer Preview.

The fourth critical bulletin for the month solves a privately reported flaw in .NET Framework that could lead to a remote code execution attack if a specially crafted Web site is viewed using a browser that can run XAML Browser Applications (XBAPs). Bulletin MS12-025 affects .NET Framework versions running on Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Finally, Microsoft's security update for April includes two "important" bulletins. The first important bulletin, MS12-026, fixes two holes in Forefront Unified Access Gateway that could lead to an information disclosure attack if an attacker sends a specially crafted query to the UAG server. The second important bulletin, MS12-028, takes care of yet another remote code execution flaw in Microsoft Office and Microsoft Works.

Along with Microsoft's monthly update, it is worth noting that Adobe has released its next security update for both its Acrobat and Reader products, which can be found here.